Why is Netflix Cracking Down on Password Sharing?

In mid-March, Netflix users began to report sightings of a screen that said:

“If you don’t live with the owner of this account, you need your own account to keep watching.”

While the streaming platform has yet to reveal whether this is anything more than a beta test, a spokesperson told the BBC:

“This test is designed to help ensure that people using Netflix accounts are authorized to do so.”

The test requires users to verify that they have permission to access the account with a code sent via text or email.

But Netflix has been around for years, so why is the company incorporating two-factor authentication (2FA) now?

Why is Netflix cracking down on password sharing now?

Chances are that if you weren’t sharing passwords for streaming accounts amongst family members, friends, neighbors or pets before lockdown hit, it’s likely you do now. With the global population spending more time at home, streaming services have never been more in demand. Rather than asking which hot new bar you went to at the weekend, you’re more likely to be asked whether you watched the latest Netflix series.

Netflix reported a 22% increase in new subscribers in 2020 (36.5 million), giving the platform a total of 204 million users worldwide. These enormous figures equate to Netflix dominating 53.5% of the market (a historical low), while Apple TV+ takes 3.9% and Disney+ 3.6%. Other streaming services that emerged on to the market in the last 12 months include HBO Max and Paramount+.

The question is: how many more Netflix subscribers would there be if we weren’t sharing passwords amongst households?

In a 2016 statement, Reed Hastings, Netflix CEO said:

“Password sharing is something you have to learn to live with, because there’s so much legitimate password sharing, like you share with your spouse, with your kids …so there’s no bright line, and we’re doing fine as it is.

And with slam dunk programming throughout the pandemic such as Bridgerton, The Queen’s Gambit and Tiger King, it would seem that Netflix could continue as it was. But that’s not the only tale to tell here.

The sheer magnitude of Netflix subscribers means that the streaming service will inevitably experience challenges before the other, relatively infant services. One of which is the threat of account theft carried out by malicious bots.

How and why are bots targeting streaming services?

Another consequence of the pandemic is increased malicious bot activity. As people think of new ways to make money in the face of economic adversity, or they simply want to access accounts (and we’re not just talking about streaming here) at a knockdown rate, more are buying and using bots to carry out a range of attacks including account takeover attacks.

Account takeover occurs when an attacker illegally logs in to a user’s account. When an attack is successful, the attacker can carry out any manner of activity for their own gain, including the acquisition of personally identifiable information (PII), preventing access to the account and selling the account details on for a profit.

We asked Liam Jones, Threat Research specialist at Netacea, for his thoughts on the bot challenges facing Netflix:

“It’s likely that Netflix has noticed an increase in different IPs abusing the policy of sharing accounts, but that will also be because of credential stuffing [a prevalent account takeover technique]. Although it’s illegal, it’s easy to carry out and the tools are freely available.”

“Many customers will have bad password hygiene and there will come a point that a company – in this case Netflix – has to act. It took me 10 seconds to find a catalog of Netflix accounts and it’s the customer password hygiene that allows this to happen. Although you can bypass 2FA, 2FA is certainly better than no 2FA and should become a default component of any online service.”

Why is Netflix password and account sharing bad practice?

Passwords need to be strong, preferably uncrackable, stored securely in a password manager, and known only to the account holder. Once we start to let these practices fall by the wayside the whole system can come crumbling down.

Sharing passwords amongst households increases the risk because it simply reduces your control. You don’t know how the passwords are being stored by others or whether they’re being recycled elsewhere.

A report by LastPass in 2018 revealed that although 91% of users claim to understand the risks of reusing passwords, 59% did so anyway.

This means that any data breach could make vulnerable dozens of user accounts that use the same password, with the username and password combo likely to find its way to a data dump on the dark web or the account sold on a marketplace. Suddenly your account isn’t just accessed by those with your permission, but Frank in Spain/Plymouth/Germany has popped up and is about to lock you all out.

Is two-factor authentication enough to protect customers?

Building in 2FA is a good place to start. However, it’s not a foolproof approach and, as we know, it’s only a matter of time before an attacker finds the next weak link.

Detecting and stopping malicious bots before the damage is done is critical to protecting customers and your brand reputation. It is vital that your bot management technology provides comprehensive protection against bot activity that targets weaknesses across your website, mobile app and API-based systems.

This must look beyond traditional bot defense that focused on reputational feeds and JavaScript checks to include real-time analysis of user behaviors to effectively identify bad actors.

Talk to the Netacea team today to find out how our best-of-breed bot management technology protects websites, mobile apps and APIs from malicious attacks such as credential stuffing and account takeover.